Reposting official announcement on behalf of Robyn Bergeron:
Hello again, Fedora community.
This is an update on Fedora’s response to CVE-2014-0160 (aka “Heartbleed”). This is a critical security vulnerability that requires your immediate attention.
Updates are now available, and are being pushed to our mirror network. The update announcements for Fedora 19 and Fedora 20 are available at:
- [SECURITY] Fedora 19 Update: openssl-1.0.1e-37.fc19.1
- [SECURITY] Fedora 20 Update: openssl-1.0.1e-37.fc20.1
Apply updates with
sudo yum upgrade openssl openssl-libs
or with your graphical package manager.
After applying the update, please make sure to restart all services which use OpenSSL. You may find it easiest to simply restart your system. However, if you prefer, you may restart any affected services manually. You can get an overview of programs that need to be restarted by using the command line tool
sudo needs-restarting
(This is included in the yum-utils package.) Restart all listed programs until the output of needs-restarting is empty.
The Fedora Cloud images linked at https://fedoraproject.org/en/get-fedora#cloud have been recreated with the updated packages preinstalled.
Fixes have been applied to servers used in Fedora infrastructure and we are investigating any further remediation which may be necessary.
Special thanks to Robert Mayr, Kévin Raymond, Dennis Gilmore, Matthew Miller, Paul Frields, Major Hayden, Kurt Seifried, Kevin Fenzi, William Brown, Nick Bebout, Adam Williamson, Joachim Backes, Pádraig Brady, Lokesh Mandvekar, David Strauss, Joop Braak, Michael Cronenworth, Till Maas, Luke Macken, and others for effort in making these updates available quickly.
– Robyn Bergeron
Bhumish
I was eagerly waiting for this upgrade. A lot of thanks!
mike
I’m Using fc19 and running command
‘openssl version’ I see
OpenSSL 1.0.1e-fips 11 Feb 2013
I guess the question is, how do I know for sure vulnerability. reading at http://heartbleed.com/ they suggest 1.0.1g is the level folks need to be at.
Eugene
You can check the changelog of a package to see if a specific vulnerability fix was backported:
sudo rpm -q –changelog openssl | head -n 3
* Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7
– fix CVE-2014-0160 – information disclosure in TLS heartbeat extensio
Anonymously
Thx for the tip, I also had the same question. Another question I have is: how often do Fedora maintainers update *important* packages like this one? I realize the answer may vary, but I’d feel slightly more secure if it were more often than not.
Till
You can check with rpm, it should show you whether your package contains the fix. An easy to verify indication is the changelog of openssl-libs:
- pull in upstream patch for CVE-2014-0160
sean darcy
fedora really needs to move to 1.0.1g. I realize rh has patched 1.0.1e, but many of our customers are following the general advice not to connect to any openssl < 1.0.1g. This is a real pain, given all the paranoia around, many people aren't interested in a discussion about patches, some even have now a corporate policy.
Josh
I agree with Sean. There is no indication that this is a patched version. If you do openssl version you get,
OpenSSL 1.0.1e-fips 11 Feb 2013
The right thing to do is to release a 1.0.1g version or at the very least bump the version date to April 2014
Matthew Miller
Of course, the new version might introduce new flaws. Fun all around. Use rpm -q --changelog openssl | less to see the changelog, where it is clearly noted that the vulnerability is patched.
But most importantly, you’re really talking to the wrong people in comments here; https://bugzilla.redhat.com/show_bug.cgi?id=1049231 is the tracking bug (although, a huge amount of chatter there will just be distracting to the package maintainer rather than helpful, so don’t overdo it)….